CVE-2025-38349
Vulnerability Scoring
Analysis In Progress
CVE-2025-38349 Vulnerability Analysis & Exploit Details
CVE-2025-38349
Attack Complexity Details
-
Attack Complexity:
Attack Complexity Analysis In Progress
-
Attack Vector:
Attack Vector Under Analysis
-
Privileges Required:
None
No authentication is required for exploitation.
-
Scope:
Impact is confined to the initially vulnerable component.
-
User Interaction:
None
No user interaction is necessary for exploitation.
CVE-2025-38349 Details
Status: Received on 18 Jul 2025, 08:15 UTC
Published on: 18 Jul 2025, 08:15 UTC
CVSS Release:
CVE-2025-38349 Vulnerability Summary
CVE-2025-38349: In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep refcount and then doing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead to a use-after-free. That pattern is actually fine for the very last reference, because the code in question will delay the actual call to "ep_free(ep)" until after it has unlocked the mutex. But it's wrong for the much subtler "next to last" case when somebody *else* may also be dropping their reference and free the ep while we're still using the mutex. Note that this is true even if that other user is also using the same ep mutex: mutexes, unlike spinlocks, can not be used for object ownership, even if they guarantee mutual exclusion. A mutex "unlock" operation is not atomic, and as one user is still accessing the mutex as part of unlocking it, another user can come in and get the now released mutex and free the data structure while the first user is still cleaning up. See our mutex documentation in Documentation/locking/mutex-design.rst, in particular the section [1] about semantics: "mutex_unlock() may access the mutex structure even after it has internally released the lock already - so it's not safe for another context to acquire the mutex and assume that the mutex_unlock() context is not using the structure anymore" So if we drop our ep ref before the mutex unlock, but we weren't the last one, we may then unlock the mutex, another user comes in, drops _their_ reference and releases the 'ep' as it now has no users - all while the mutex_unlock() is still accessing it. Fix this by simply moving the ep refcount dropping to outside the mutex: the refcount itself is atomic, and doesn't need mutex protection (that's the whole _point_ of refcounts: unlike mutexes, they are inherently about object lifetimes).
Assessing the Risk of CVE-2025-38349
Access Complexity Graph
The exploitability of CVE-2025-38349 depends on two key factors: attack complexity (the level of effort required to execute an exploit) and privileges required (the access level an attacker needs).
Exploitability Analysis for CVE-2025-38349
No exploitability data is available for CVE-2025-38349.
Understanding AC and PR
A lower complexity and fewer privilege requirements make exploitation easier. Security teams should evaluate these aspects to determine the urgency of mitigation strategies, such as patch management and access control policies.
Attack Complexity (AC) measures the difficulty in executing an exploit. A high AC means that specific conditions must be met, making an attack more challenging, while a low AC means the vulnerability can be exploited with minimal effort.
Privileges Required (PR) determine the level of system access necessary for an attack. Vulnerabilities requiring no privileges are more accessible to attackers, whereas high privilege requirements limit exploitation to authorized users with elevated access.
CVSS Score Breakdown Chart
Above is the CVSS Sub-score Breakdown for CVE-2025-38349, illustrating how Base, Impact, and Exploitability factors combine to form the overall severity rating. A higher sub-score typically indicates a more severe or easier-to-exploit vulnerability.
CIA Impact Analysis
Below is the Impact Analysis for CVE-2025-38349, showing how Confidentiality, Integrity, and Availability might be affected if the vulnerability is exploited. Higher values usually signal greater potential damage.
-
Confidentiality:
None
CVE-2025-38349 does not compromise confidentiality.
-
Integrity:
None
CVE-2025-38349 does not impact data integrity.
-
Availability:
None
CVE-2025-38349 does not affect system availability.
CVE-2025-38349 References
External References
- https://git.kernel.org/stable/c/521e9ff0b67c66a17d6f9593dfccafaa984aae4c
- https://git.kernel.org/stable/c/605c18698ecfa99165f36b7f59d3ed503e169814
- https://git.kernel.org/stable/c/6dee745bd0aec9d399df674256e7b1ecdb615444
- https://git.kernel.org/stable/c/8c2e52ebbe885c7eeaabd3b7ddcdc1246fc400d2
CWE Common Weakness Enumeration
Unknown
Protect Your Infrastructure against CVE-2025-38349: Combat Critical CVE Threats
Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals safeguarding today's infrastructures.
Other 5 Recently Published CVEs Vulnerabilities
- CVE-2025-6233 – Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the...
- CVE-2025-50126 – A stored XSS vulnerability in the RSBlog! component 1.11.6-1.14.5 Joomla was discovered. The issue allows remote authenticated users to inject arbi...
- CVE-2025-50058 – A stored XSS vulnerability in the RSDirectory! component 1.0.0-2.2.8 Joomla was discovered. The issue allows remote authenticated attackers to inje...
- CVE-2025-50057 – A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to ...
- CVE-2025-50056 – A reflected XSS vulnerability in RSMail! component 1.19.20 - 1.22.26 28 Joomla was discovered. The issue allows remote attackers to inject arbitrar...